[refpolicy] SELinux: Could not downgrade policy file 24 on PPC boards

Stephen Smalley sds at tycho.nsa.gov
Fri Aug 28 06:48:03 CDT 2009


On Fri, 2009-08-28 at 09:01 +0000, TaurusHarry wrote:
> Hi all,
> 
> I have installed the latest SELinux user space tools released at the
> Tresys
> website on 2009-7-31, the max policy format version is 24. On the
> other side
> the max policy version number on the latest kernel still is 23. My
> approach
> are to first boot into "init=/bin/bash selinux=1" to load_policy and
> then 
> restore security contexts for the whole file system, second boot up
> SELinux
> normally by "init=/sbin/bash selinux=1". On x86 targets(both 32bit and
> 64bit)
> the load_policy program could finish uneventfully:
> 
>    bash-3.2# /usr/sbin/load_policy
> -q /etc/selinux/target/policy/policy.24
>    type=1403 audit(1249926421.908:2): policy loaded auid=4294967295
> ses=4294967295
>    bash-3.2#
> 
> However, on PPC 32 target(such as fsl_8548cds) the load_policy could
> run into
> following error:
> 
>    bash-3.2# /usr/sbin/load_policy
> -q /etc/selinux/target/policy/policy.24
>    SELinux:  Could not downgrade policy
> file /etc/selinux/target/policy/policy.24, searching for an  older
> version.
>    SELinux:  Could not open policy file
> <= /etc/selinux/wr-strict/policy/policy.24:  No such file or directory
>    /usr/sbin/load_policy:  Can't load policy:  No such file or
> directory
>    bash-3.2#    
>    bash-3.2# /usr/sbin/load_policy  -i
>    type=1404 audit(1888.016:2): enforcing=1 old_enforcing=0
> auid=4294967295 ses=4294967295
>    libsepol.policydb_to_image: new policy image is invalid
>    libsepol.policydb_to_image: could not create policy image
>    SELinux:  Could not downgrade policy
> file /etc/selinux/wr-strict/policy/policy.24, searching for an older
> version.
>    SELinux:  Could not open policy file
> <= /etc/selinux/wr-strict/policy/policy.24:  No such file or directory
>    /usr/sbin/loa d_policy:  Can't load policy and enforcing mode
> requested:  No such file or directory
>    bash-3.2# 
> 
> The kernel I am using is 2.6.27, why would the policy downgrading from
> 24 to 23
> succeed on x86 boards but fail on PPC boards? Do I have to udpate
> kernel to the
> latest 2.6.31? and is there anything special I must pay attention to
> when building
> SELinux policy for the PPC target?
> 
> Any comments are greatly appreciated, thanks a lot!

This sounds like you have an older libsepol installed on the PPC system
that does not know how to handle policy.24 and thus cannot downgrade it.

You can of course force policy to be built to a particular version by
setting OUTPUT_POLICY in build.conf.

BTW, 2.6.27 had bugs in its open permission checking, so you should
disable the open_perms capability in policy/policy_capabilities or back
port the bug fixes to your kernel.

-- 
Stephen Smalley
National Security Agency



More information about the refpolicy mailing list